Snapd can't access global Seccomp profile => can't even shell into snap

zjoseal · May 7, 2020, 8:38pm

Sorry for the delay. It was pretty late at night in my time zone

Oh, a lot has changed since then (haha). The previous snapcraft.yaml is completely different. The main part was build using Docker to generate a special read-only filesystem. To be honest, comparing this snap with the previous snap brings in so many confounding variables that it’d be like comparing it with another snap.

Igor:

@zjoseal if you don’t mind, just a quick check, what are the permissions on these two files:
/var/lib/snapd/seccomp/bpf/global.bin
/var/lib/snapd/seccomp/bpf/snap.mysnap.mydaemon.bin
Can you also do file on the daemon binary and uname -a on the host.

This is just to rule out some potentially trivial but important issues.

-rw-r--r-- 1 root root   152 Feb 18 23:29 global.bin
-rw-r--r-- 1 root root    32 May  7 20:05 snap.mysnap.mydaemon.bin

$ file mydaemonexecutable
mydaemonexecutable: executable, regular file, no read permission

$ uname -a
Linux p3-usr-zjoseal 5.3.0-1023-raspi2 #25-Ubuntu SMP Tue Apr 14 11:38:43 UTC 2020 armv7l armv7l armv7l GNU/Linux

I should have also mentioned that I’ve been overwriting the seccomp and apparmor profiles as part of an effort to develop a custom interface. When I stop overwriting the profiles, I’m able to at least shell into the snap (although this breaks my snap). This somewhat makes sense. Earlier, I had a problem where I couldn’t shell into the snap because the profile wasn’t loaded.

These custom profiles didn’t cause problems on amd64 or arm64. Could it be that they’re not being accepted by the armhf snapd? How do I go about narrowing down why the profiles aren’t appropriate?

I also found that using > instead of | tee to write snappy-debug logs was not yielding logs. Apparently overwriting the profiles causes these objections from Seccomp:

= Seccomp =
Time: May  7 20:05:44
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12138 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 33(access) compat=0 ip=0xb6db7d56 code=0x50000
Syscall: access

= Seccomp =
Time: May  7 20:05:44
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12138 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 60(umask) compat=0 ip=0xb6e30dc8 code=0x50000
Syscall: umask

= Seccomp =
Time: May  7 20:05:44
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12138 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 85(readlink) compat=0 ip=0xb6e32b58 code=0x50000
Syscall: readlink

= Seccomp =
Time: May  7 20:05:44
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12138 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 4(write) compat=0 ip=0xb6db7d56 code=0x50000
Syscall: write

= Seccomp =
Time: May  7 20:05:44
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12138 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 248(exit_group) compat=0 ip=0xb6db7d56 code=0x50000
Syscall: exit_group

= Seccomp =
Time: May  7 20:05:44
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12138 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 1(exit) compat=0 ip=0xb6db7d56 code=0x50000
Syscall: exit

= Seccomp =
Time: May  7 20:05:49
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12205 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 33(access) compat=0 ip=0xb6dbcd56 code=0x50000
Syscall: access

= Seccomp =
Time: May  7 20:05:49
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12205 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 60(umask) compat=0 ip=0xb6e35dc8 code=0x50000
Syscall: umask

= Seccomp =
Time: May  7 20:05:49
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12205 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 85(readlink) compat=0 ip=0xb6e37b58 code=0x50000
Syscall: readlink

= Seccomp =
Time: May  7 20:05:49
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12205 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 4(write) compat=0 ip=0xb6dbcd56 code=0x50000
Syscall: write

= Seccomp =
Time: May  7 20:05:49
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12205 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 248(exit_group) compat=0 ip=0xb6dbcd56 code=0x50000
Syscall: exit_group

= Seccomp =
Time: May  7 20:05:49
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12205 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 1(exit) compat=0 ip=0xb6dbcd56 code=0x50000
Syscall: exit

= Seccomp =
Time: May  7 20:05:50
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12258 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 33(access) compat=0 ip=0xb6e7fd56 code=0x50000
Syscall: access

= Seccomp =
Time: May  7 20:05:50
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12258 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 60(umask) compat=0 ip=0xb6ef8dc8 code=0x50000
Syscall: umask

= Seccomp =
Time: May  7 20:05:50
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12258 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 85(readlink) compat=0 ip=0xb6efab58 code=0x50000
Syscall: readlink

= Seccomp =
Time: May  7 20:05:50
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12258 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 4(write) compat=0 ip=0xb6e7fd56 code=0x50000
Syscall: write

= Seccomp =
Time: May  7 20:05:50
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12258 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 248(exit_group) compat=0 ip=0xb6e7fd56 code=0x50000
Syscall: exit_group

= Seccomp =
Time: May  7 20:05:50
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12258 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 1(exit) compat=0 ip=0xb6e7fd56 code=0x50000
Syscall: exit

= Seccomp =
Time: May  7 20:05:51
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12310 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 33(access) compat=0 ip=0xb6e71d56 code=0x50000
Syscall: access

= Seccomp =
Time: May  7 20:05:51
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12310 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 60(umask) compat=0 ip=0xb6eeadc8 code=0x50000
Syscall: umask

= Seccomp =
Time: May  7 20:05:51
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12310 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 85(readlink) compat=0 ip=0xb6eecb58 code=0x50000
Syscall: readlink

= Seccomp =
Time: May  7 20:05:51
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12310 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 4(write) compat=0 ip=0xb6e71d56 code=0x50000
Syscall: write

= Seccomp =
Time: May  7 20:05:51
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12310 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 248(exit_group) compat=0 ip=0xb6e71d56 code=0x50000
Syscall: exit_group

= Seccomp =
Time: May  7 20:05:51
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12310 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 1(exit) compat=0 ip=0xb6e71d56 code=0x50000
Syscall: exit

= Seccomp =
Time: May  7 20:05:53
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12362 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 33(access) compat=0 ip=0xb6df5d56 code=0x50000
Syscall: access

= Seccomp =
Time: May  7 20:05:53
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12362 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 60(umask) compat=0 ip=0xb6e6edc8 code=0x50000
Syscall: umask

= Seccomp =
Time: May  7 20:05:53
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12362 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 85(readlink) compat=0 ip=0xb6e70b58 code=0x50000
Syscall: readlink

= Seccomp =
Time: May  7 20:05:53
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12362 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 4(write) compat=0 ip=0xb6df5d56 code=0x50000
Syscall: write

= Seccomp =
Time: May  7 20:05:53
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12362 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 248(exit_group) compat=0 ip=0xb6df5d56 code=0x50000
Syscall: exit_group

= Seccomp =
Time: May  7 20:05:53
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12362 comm="snap-confine" exe="/snap/snapd/7266/usr/lib/snapd/snap-confine" sig=0 arch=40000028 1(exit) compat=0 ip=0xb6df5d56 code=0x50000
Syscall: exit